windows 7 image engineering
TRANSCRIPT
UNCLASSIFIED
Windows 7
Image Engineering
DIMEI
System Build and Configuration Overview
Document identifier
DMI-D 012 identificateur du document issue date
2013-05-06 date de diffusion version version
1.03 OPI BPR
designator désignation
group / DIMEI 2 groupe /
Division ADM(IM) / DGIMT division
Objective: To describe the general build process for the Windows 7 Image.
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 2 of 31 UNCLASSIFIED
Disclaimer
This document is updated periodically to reflect the current baseline configuration. For the schedule of updates, refer to the Windows 7 Life Cycle Support Plan.
MAKE SURE YOU HAVE THE LATEST UPDATED DOCUMENT.
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 3 of 31 UNCLASSIFIED
Release History
Ser (a)
Date Released
(b)
Version (c)
Amendment (d)
Author (e)
1 2013-01-11 1.01 Initial draft Jason Parent
2 2013-04-26 1.02 Edits Sheri Salami
3 2013-05-06 1.03 Edits Maria Shkolnik
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 4 of 31 UNCLASSIFIED
Table of Contents
1. System-Wide Design Decisions .......................................................................................................... 5
1.1 Operating System .................................................................................................................... 5 1.1.1 OS Features & Components ................................................................................... 5
1.2 Installed Software ................................................................................................................... 9 1.3 Security ................................................................................................................................... 9
1.3.1 Department of National Defence Configuration Baseline ..................................... 9 1.4 Storage .................................................................................................................................. 11
1.4.1 Folder Redirection ................................................................................................ 11 1.4.2 Roaming Profiles .................................................................................................. 12
2. Detailed System Architecture ........................................................................................................... 15
2.1 Security ................................................................................................................................. 15 2.1.1 Windows Firewall ................................................................................................ 15
2.2 Client Experience .................................................................................................................. 16 2.2.1 Visual Appearance ............................................................................................... 16 2.2.2 User Functionality ................................................................................................ 19
2.3 Core Applications ................................................................................................................. 23 2.3.1 The 2010 Office System....................................................................................... 24 2.3.2 Symantec Endpoint Protection 11 ........................................................................ 25 2.3.3 Cisco Security Agent............................................................................................ 25 2.3.4 Sun Java Virtual Machine .................................................................................... 26 2.3.5 Adobe Reader ....................................................................................................... 26 2.3.6 Adobe Flash Player .............................................................................................. 26 2.3.7 Regional Settings and Keyboard Selection .......................................................... 27
3. Set Network Registry Key ................................................................................................................ 28
Appendix A: USGCB Configuration Spreadsheet .................................................................................... 29
Appendix B: Windows 7 Image Core Components & Software............................................................... 30
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 5 of 31 UNCLASSIFIED
1. System-Wide Design Decisions
1.1 Operating System
1.1.1 OS Features & Components
The following table outlines the proposed configuration and highlights where it deviates from default:
Table 1-1: Games
Games Description Default State
DND/CF State
Games The Games included with Windows 7. N Y Inbox Games N Y Chess N Y FreeCell N Y Hearts N Y Internet Games N N Minesweeper N Y More Games N Y Purble Palace N Y Shanghai N Y Solitaire N Y Spider Solitaire N Y
Table 1-2: Windows 7 Features & Services
Windows Feature Description Default State
DND/CF State
Indexing Service Starting with Windows Vista, the content indexer was replaced with Windows Search indexer, which is enabled by default. The old context indexer services are still included with Windows 7 but are not installed or running by default.
N N
Internet Explorer 8 Y Y IIS The Microsoft Internet Information Services (IIS)
component provides a Web application infrastructure for all versions of Windows.
N N
FTP Server N N FTP Extensibility N N FTP Service N N
Web Management Tools N N IIS 6 Management Compatibility:
N N
IIS 6 Management Console N N IIS 6 Scripting Tools N N IIS 6 WMI Compatibility N N IIS Metabase and IIS 6 configuration compatibility
N N
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 6 of 31 UNCLASSIFIED
Windows Feature Description Default State
DND/CF State
IIS Management Console N N IIS Management Scripts and Tools
N N
IIS Management Service N N World Wide Web Services N N
Application Development Features:
N N
.NET Extensibility N N Active Server Pages (ASP) N N ASP .NET N N Common Gateway Interface (CGI)
N N
Internet Server API (ISAPI) Extensions
N N
ISAPI Filters N N Server-Side Includes N N Common HTTP Features: N N Default Document N N Directory Browsing N N HTTP Errors N N HTTP Redirection N N Static Content N N WebDAV Publishing N N Health and Diagnostics: N N Custom Logging N N HTTP Logging N N Logging Tools N N Open Database Connectivity (ODBC) Logging
N N
Request Monitor N N Tracing N N Performance Features: N N Dynamic Content Compression N N Static Content Compression N N Security: N N Basic Authentication N N Client Certificate Mapping Authentication
N N
Digest Authentication N N IIS Client Certificate Mapping Authentication
N N
IP Security (IPSec) N N Request Filtering N N URL Authorization N N Windows Authentication N N
IIS Hostable Web Core N N Media Features Y Y
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 7 of 31 UNCLASSIFIED
Windows Feature Description Default State
DND/CF State
Windows DVD Maker Y Y Windows Media Center Y Y Windows Media Player Y Y Microsoft .NET Framework:3.5.1
The .NET framework is a collection of managed code APIs for presentation, communication, and workflow.
* *
Windows Communication Foundation HTTP Activation
N N
Windows XP Communication Foundation non-HTTP Activation
N N
MSMQ Server Microsoft Message Queuing (MSMQ) enables applications running at different times to communicate across heterogeneous networks and systems that many be temporarily offline.
N N
MSMQ Server Core N N MSMQ Active Directory Domain Services Integration
N N
MSMQ HTTP Support N N MSMQ Triggers N N Multicasting Support N N MSMQ DCOM Proxy N N
Print and Document Services The Print Services component manages printers and printing within Windows 7.
* *
Internet Printing client Y N LPD Print Service N N LPR Port Monitor N N Scan Management N N Windows Fax and Scan Y Y RAS Connection Manager Administration Kit (CMAK)
N N
RIP Listener This component handles the Remote Access Service (RAS) IP Routing Information Protocol (RIP).
N N
Services for NFS Network File System (NFS) is a protocol developed by the Internet Engineering Task Force (IETF) and used for connection to an NFS share.
N N
Administrative Tools N N Client for NFS N N Simple TCP/IP Services (e.g. echo, daytime)
N N
SNMP Feature Simple Network Management Protocol (SNMP) is an application-layer protocol that facilitates the exchange of management information between network devices.
N N
WMI SNMP Provider N N Subsystem for UNIX-based Applications
SUA provides compatibility with UNIX-based applications.
N N
Tablet PC Components This component adds or removes accessories such as Tablet PC Input Panel, Windows Journal, and Snipping Tool as well as features such as handwriting recognizers.
Y Y
Telnet Client This component is the client for the terminal emulation program for TCP/IP networks.
N N
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 8 of 31 UNCLASSIFIED
Windows Feature Description Default State
DND/CF State
Telnet Server This component is the server for the terminal emulation program for TCP/IP networks.
N N
TFTP Client Trivial File Transfer Protocol (TFTP) is a simple form of FTP that has no security features.
N N
Windows Gadget Platform Y Y Windows Process Activation Service:
This service manages application pools and worker processes for both HTTP and non-HTTP requests.
N N
Microsoft .NET Environment N N Configuration APIs N N Process Model N N Windows Search Y Y Windows TIFF iFilter N N XPS Services Y Y XPS Viewer Y Y
Component selection will be accomplished by manipulating the unattend.xml file for the OS from within the MDT 2012 console using the Windows System Image Manager (WSIM) tool included with Windows Assessment and Deployment kit (ADK).
The section to be added is as follows:
• Catalog Root Packages
o Foundation • x86_Microsoft-Windows-Foundation-Package_6.1.7600.16385_
OR
• Catalog Root Packages
o Foundation • amd64_Microsoft-Windows-Foundation-Package_6.1.7600.16385_
The settings to be updated are:
• InBoxGames = Enabled Chess = Enabled FreeCell = Enabled Hearts = Enabled Internet Games = Disabled
o Internet Backgammon = Disabled o Internet Checkers = Disabled o Internet Spades = Disabled
Minesweeper = Enabled More Games = Enabled PurblePlace = Enabled Shanghai = Enabled Solitaire = Enabled
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 9 of 31 UNCLASSIFIED
Spider Solitaire = Enabled • Printing-Foundation-Features = Enabled Printing-Foundation-InternetPrinting-Client = Disabled
1.2 Installed Software
The following components and software programs will be included (pre-installed) in the Windows 7 master image for all Domains:
Table 1-3: Windows 7 Master Image Components – Core Components added during MDT (Phase 1)
Software Version Comments
Microsoft Windows Enterprise Edition
Windows 7 SP1 (Build 7601)
Windows 7 will be produced in x86 and x64 images.
DND Environment Variables
DND Workstation Tools 4.0
Microsoft .NET Framework 4.0 Already approved & in use on DWAN. No update required. Revision included in stated OS revision level.
MS PowerShell 3.0
VC++ 2005 redistributable
VC++ 2008 Redistributable
VC++ 2010 Redistributable
Microsoft Office Professional Plus Edition
2010 SP1 32bit Version
Sun Java Virtual Machine 6 r 27 Already approved/in use on DWAN & CSNI
Adobe Reader 9.4 Already approved/in use on DWAN & CSNI
Adobe Flash Player 10 Already approved/in use on DWAN & CNSI
K-Lite Codec Pack 5.90 Already approved/in use on DWAN & CNSI
Microsoft Visio Viewer 2010 Already approved/in use on DWAN & CNSI
Multi-lingual User Interface English and French-language MUI
Note: For a list of core software not common to all domains added to SCCM OSD Task Sequence, please refer to Appendix B: Windows 7 Image Core Components & Software.
Please note that the above list is what is current to the Windows 7 RC-3 image. This could change in future releases of the image.
1.3 Security
1.3.1 Department of National Defence Configuration Baseline
The following set of GPOs are an example of what had been implemented on the DWAN:
Table 1-5: DNDCB Group Policy Objects
Policy type DND Name Comments
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 10 of 31 UNCLASSIFIED
Policy type DND Name Comments User policies
IMG-DND-U-Win7-NDMSitePrepLogonScript
Scoped to apply only to the NDMNationalWin7SitePrep security group
IMG-DND-U-Win7-NDMUserEnvironment
scoped to apply only to the security group NDMWin7UserEnvFolderRedirection security group
IMG-DND-U-DNDCB-IE8-User IMG-DND-U-DNDCB-Win7-User IMG-DND-U-Win7 Core Application Settings 1.0-User
IMG-DND-U-Win7 Office 2010 Settings-User
IMG-DND-U-Win7 Windows Media Player 12-User
Computer policies IMG-DND-W-DNDCB-IE8-Computer
IE 8 configuration
IMG-DND-W-DNDCB-Win7-AppPortControl
IMG-DND-W-DNDCB-Win7-Computer
Computer Configuration – Policy Logon Message & Dialog Title USGCB settings overrides (table 9) Windows Firewall turned on, pass-through mode Computer Configuration – Preferences Local Administrators group membership User Configuration – Preferences: Screen Saver default selection Presentation settings Disable configuration of wireless setting using Windows Connect Now Disables interactive logon while deployment in progress
IMG-DND-W-DNDCB-Win7-Computer-Energy
IMG-DND-W-DNDCB-Win7-Core Application Settings 1.0-Computer
Adobe Reader 9.2 DND configuration Microsoft Silverlight 3.0 configuration Sun JRE 1.6.0_17 configuration
IMG-DND-W-DNDCB-Win7 Office 2010 Settings-Computer
Office 2010 configuration
IMG-DND-W-DNDCB-Win7 Windows Media Player 12-Computer
Media Player 12 configuration
IMG-DND-W-DNDCB-Win7-AppLocker Exceptions
IMG-DND-W-Win7-Computer Event Forwarding
IMG-DND-W-Win7-NDMNationalComputerManagers
All standard USGCB settings will be adopted, with the exception of three particular configuration items which will be slightly relaxed due to anticipated application compatibility issues in DND’s environment. These differences are highlighted in the DNDCB:
Table 1-6: DND Overrides to USGCB Settings
Setting USGCB Recommendation GPO Path Registry Value Network security: Do not store LAN Manager hash
Enabled Disabled Computer Configuration\Windows
MACHINE\System\CurrentControlSet\
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 11 of 31 UNCLASSIFIED
Setting USGCB Recommendation GPO Path Registry Value value on next password change
Turning off LM will likely cause problems when authenticating to non-MS applications
Settings\Security Settings\Local Policies\Security Options
Control\Lsa\NoLMHash
Network security: LAN Manager authentication level
Send NTLMv2 Response only. Refuse LM and NTLM
2. Send LM and NTLM - use NTLMv2 session security if negotiated Same reason as above
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Require NTLMv2 session security, Require 128 bit encryption
Require 128 bit encryption
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
There is an additional NIST USGCB policy, USGCB v1.0 Q1 2009 Windows Firewall Settings, which will not be included as this functionality is provided by SEP-11.
See Appendix A for an exhaustive listing of the USGCB security settings.
1.4 Storage
1.4.1 Folder Redirection
Folder Redirection is configured in Group Policy under User Configuration under the following path:
[Group Policy Object Name]\User Configuration\Policies\Windows Settings\Folder Redirection
Folder redirection will be implemented for the following applicable folders
Table 3- Folder Redirection:
Folder DWAN-Physical
DWAN-Mobile CSNI-Physical CSNI-VHD
AppData
Contacts
Desktop
Documents
Downloads
Favorites
Links
Music
Pictures
Saved Games
Searches
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 12 of 31 UNCLASSIFIED
Folder DWAN-Physical
DWAN-Mobile CSNI-Physical CSNI-VHD
Videos
(NEED TO CONFIGURE DWAN ACCORDINGLY):
• AppData FOLDER REDIRECTED • Contacts FOLDER REDIRECTED • Documents FOLDER REDIRECTED • Favorites FOLDER REDIRECTED • Links FOLDER REDIRECTED FOR VHD (NEED TO INVESTIGATE SCENARIO WHERE A PERSON SWITCHES BACK AND
FORTH BETWEEN THIN AND THICK CLIENTS) (NEED TO CONFIGURE VHD ACCORDINGLY):
• AppData FOLDER REDIRECTED • Contacts FOLDER REDIRECTED • Desktop FOLDER REDIRECTED • Documents FOLDER REDIRECTED • Downloads FOLDER REDIRECTED • Favorites FOLDER REDIRECTED • Links FOLDER REDIRECTED • Music FOLDER REDIRECTED • Pictures FOLDER REDIRECTED • Saved Games FOLDER REDIRECTED • Searches FOLDER REDIRECTED • Videos FOLDER REDIRECTED
1.4.2 Roaming Profiles
Incompatibilities between Windows XP and Windows 7 include the following:
Table 1-8: Profile Folder Structure Changes - v1 & v2 Profiles
Configuration Item
Windows XP (v1 profile) Windows 7 (v2 profile)
AppData N/A C:\Users\%UserName%\AppData Application Data C:\Documents and
Settings\%UserName%\Application Data C:\Users\%UserName%\AppData\Roaming
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 13 of 31 UNCLASSIFIED
Configuration Item
Windows XP (v1 profile) Windows 7 (v2 profile)
Contacts N/A C:\Users\%UserName%\Contacts Cookies C:\Documents and
Settings\%UserName%\Cookies C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\Cookies
Desktop C:\Documents and Settings\%UserName%\Desktop
C:\Users\%UserName%\Desktop
Documents C:\Documents and Settings\%UserName%\My Documents
C:\Users\%UserName%\Documents
Downloads N/A C:\Users\%UserName%\Downloads Favorites C:\Documents and
Settings\%UserName%\Favorites C:\Users\%UserName%\Favorites
Links N/A C:\Users\%UserName%\Links Local Settings C:\Documents and
Settings\%UserName%\Local Settings N/A
C:\Documents and Settings\%UserName%\Local Settings\Application Data
C:\Users\%UserName%\AppData\Local
C:\Documents and Settings\%UserName%\Local Settings\History
C:\Users\%UserName%\AppData\Local\Microsoft\ Windows\History
C:\Documents and Settings\%UserName%\Local Settings\Temp
C:\Users\%UserName%\AppData\Local\Temp
C:\Documents and Settings\%UserName%\Local Settings\Temporary Internet Files
C:\Users\%UserName%\AppData\Local\Microsoft\ Windows\temporary Internet Files
Music C:\Documents and Settings\%UserName%\My Music
C:\Users\%UserName%\Music
My Recent Documents
C:\Documents and Settings\%UserName%\Recent
C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\Recent
NetHood C:\Documents and Settings\%UserName%\NetHood
C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\Network Shortcuts
Pictures C:\Documents and Settings\%UserName%\My Pictures
C:\Users\%UserName%\Pictures
PrintHood C:\Documents and Settings\%UserName%\PrintHood
C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\Printer Shortcuts
Saved Games N/A C:\Users\%UserName%\Saved Games Searches N/A C:\Users\%UserName%\Searches SendTo C:\Documents and
Settings\%UserName%\SendTo C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\SendTo
Start Menu C:\Documents and Settings\%UserName%\Start Menu
C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\Start Menu
Templates C:\Documents and Settings\%UserName%\Templates
C:\Users\%UserName%\AppData\Roaming\Microsoft\ Windows\Templates
Videos C:\Documents and Settings\%UserName%\My Videos
C:\Users\%UserName%\Videos
PB_Loc PB_Backup_Sauvegarde
PB_user_manage_usager
In addition, the following folders are also changed:
• All Users profile changes to Public
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 14 of 31 UNCLASSIFIED
• Recycle Bin moves into the profile, enabling per-user delete and restore
Figure 1: Windows 7 v2 Profile Folder Structure
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 15 of 31 UNCLASSIFIED
2. Detailed System Architecture Existing IS Services Used
• Standard DWAN and CSNI networking services (DNS, DHCP, proxies, firewalls etc.) • Active Directory • Symantec Endpoint Protection (SEP) 11 • Microsoft Exchange e-mail services • DVPNI (Nortel Contivity)
New or Updated IS Services Used (Some of these do not apply to every network)
• Updated: Cisco Security Agent (CSA) 6 • Updated: Configuration Manager 2007 R2 (replaces SMS 2003) • Updated: Public Key Infrastructure (PKI) PKI Certificate Authority: Entrust CA v7.1 SP2 PKI Client: Entrust ESP 9 Outlook Support: ESPo 8 Smartcard Support: Safenet Bordlerless Protection 7.2
IS Services Provided by Subject System
• Desktop computing (general purpose), including e-mail services.
2.1 Security
2.1.1 Windows Firewall
Windows Firewall settings are configured in the GPO “IMG-DND-W-Windows 7 Desktop Settings 1.0”, where the Windows Firewall is set to “On” for all profiles. The following pass-through configuration rules for Windows Firewall are implemented:
• Group Policy Key Path: Computer Configuration / Windows Settings / Security Settings / Windows Firewall with Advanced Security / Windows Firewall with Advanced Security
Domain Profile
o Windows Firewall: On
o Inbound connections that do not match a rule are allowed
o Outbound connections that do not match a rule are allowed
Private Profile
o Windows Firewall: On
o Inbound connections that do not match a rule are allowed
o Outbound connections that do not match a rule are allowed
Public Profile
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 16 of 31 UNCLASSIFIED
o Windows Firewall: On
o Inbound connections that do not match a rule are allowed
o Outbound connections that do not match a rule are allowed
• Inbound Rules: Name: Allow All
Action: Allow Connection
Programs & Services: All
Protocols & Ports: Any Protocol, All Local & Remote Ports
Scope: Any Local or Remote IP Subnet
Profiles & Interfaces: All
• Outbound Rules: Name: Allow All
Action: Allow Connection
Programs & Services: All
Protocols & Ports: Any Protocol, All Local & Remote Ports
Scope: Any Local or Remote IP Subnet
Profiles & Interfaces: All
Important The Windows Firewall must not be disabled by stopping the service. If the Windows Firewall with Advanced Security service is turned off, other benefits provided by the service are also lost, such as the ability to use Internet Protocol security (IPsec) connection security rules, Windows Service Hardening, and network protection from attacks that employ network fingerprinting. Non-Microsoft firewall software that is compatible with Windows 7 and Windows Server 2008 can programmatically disable only the parts of Windows Firewall with Advanced Security that need to be disabled for compatibility. The SEP 11 client automatically accomplishes this. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.
2.2 Client Experience
2.2.1 Visual Appearance
As a result, the following settings will be enabled for all users who have the Windows Aero user experience (default):
• Dynamic Scaling for Windows • Windows Flip • Windows Flip 3D • Live Taskbar thumbnails
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 17 of 31 UNCLASSIFIED
Users whose computers are set to the Windows 7 Basic (or Windows Classic) user experience will not get these features. The default “Windows 7” visual theme will be applied.
Table 2-1: Windows 7 Default Themes
Theme Name Theme Type Configuration Item
Setting Description
Windows 7 Aero Glass Background Harmony File Name: Img0.jpg
Windows Color Sky
Sounds Windows Default
Screen Saver None Managed by GPO The resulting settings are:
• Screen Saver: Blank • Timeout: 15 Minutes • Password on Resume:
Yes
Windows 7 Basic Basic & High Contrast
Background Harmony File Name: Img0.jpg
Windows Color Windows 7 Basic
Sounds Windows Default
Screen Saver None
Windows Classic Basic & High Contrast
Background Solid Color Background Colour: Blue
Windows Color Windows Classic
Sounds Windows Default
Screen Saver None
2.2.1.1 Screen Saver This configuration is controlled by the following GPOs (note that the settings shown here are valid only as of the time of writing):
• IMG-DND-U-DNDCB-Win7-User – Windows 7 Additional Settings (User Configuration / Policy)
Enable Screen Saver
Password-Protect Screen Saver
Screen Saver Timeout: 900 seconds (15 minutes)
• IMG-DND-W-Windows 7 Desktop Settings 1.0 (User Configuration / Preference) Assigns a default Screen Saver of “Blank” (SCRNSAVE.SCR) if none selected.
o Item-Level Targeting: If Registry Value “HKCU\Control Panel\Display\SCRNSAVE.EXE” (REG_SZ) does not exist
o Refresh this setting regularly
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 18 of 31 UNCLASSIFIED
2.2.1.2 Start Menu
The Start menu can be customized using domain-based Group Policy objects (GPOs) according to business requirements. (The Windows 7 Image Start menu will remain in its default configuration, as we expect desired customizations to come to light during the Pilot process).
From the Start Menu, users have quick access to their most frequently used applications, folders, and tools. The top of the left side is the Pin To area. Users can right-click program icons, and then click Pin To Start Menu. From then on, the icon will be displayed in this area.
The bottom portion of the left side displays the applications that users most commonly run. This area of the menu is dynamically built based on application usage patterns. At the very bottom of the left pane, the All Programs option displays the All Programs menu.
The top of the right side shows commonly used folders for quick access. The bottom of the right side displays commonly required utilities, such as Control Panel and Help.
Figure 2: Windows 7 Start Menu
The Start menu can be configured using the interface shown in Figure 2. These default settings reinforce the new Windows 7 experience for the user. They will remain entirely user-configurable, as these settings do not have any security implications.
Figure 2: Windows 7 Start Menu Properties
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 19 of 31 UNCLASSIFIED
2.2.2 User Functionality
2.2.2.1 User Profiles
In addition to the user registry, the following directories make up a user’s profile:
• AppData: Default location for user application data and binaries (hidden by default)
• Contacts: Default location for the user’s contacts
• Desktop: Desktop items, including files and shortcuts
• Documents: Default location of all user-created documents
• Downloads: Default location to save all downloaded content
• Favorites: Internet Explorer Favorites
• Links: Contains Windows Explorer Favorite links
• Music: Default location for the user’s music files
• Pictures: Default location for the user’s picture files
• Saved Games: Used for saved games
• Searches: Default location for saved searches
• Videos: Default location for the user’s video files The names of the folders and their locations have changed under the profile. Previous versions of user profiles contained a complex folder structure, often including nested folders two and three layers deep. The new folder locations contain fewer nested folders to ease navigation, and the new names are more intuitive to the data contained within them.
Windows Vista and Windows 7 have also changed the Application Data folder structure. Previous user profiles did not logically sort data stored in the Application Data folder, making it difficult to distinguish data that belonged to the computer from data belonging to the user. Windows 7 addresses this issue by creating a single AppData folder under the user profile. The AppData folder contains three subfolders: Roaming, Local, and LocalLow.
Windows uses the Local and LocalLow folders for application data that does not roam with the user. Typically, this data is either computer specific or too large to roam. The AppData\Local folder in Windows 7 is the same as the Documents and Settings\username\Local Settings\Application Data folder in Windows XP.
Windows 7 renames the All Users profile to the Public profile, and the folder structure is the same as all Windows Vista profiles. Windows Explorer will continue to merge specific folders in the Public profile, such as Desktop and the Start menu, with regular user profiles at logon. The Public profile does not have a user registry, because Windows does not load this profile. Therefore, Windows writes all shared settings to the HKEY_LOCAL_MACHINE hive of the registry.
When users log on for the first time to a computer running Windows 7, they do not have a roaming profile in place, so they get a copy of the local default user profile. For this reason, the default user profile will be configured to provide the required look and feel.
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 20 of 31 UNCLASSIFIED
The majority of desktop settings will be applied centrally by using Group Policy (or GPP). The settings that the users can change will be initially set using an “Apply once” GPP and/or the Default User profile. For example, to set the system theme to Windows Aero theme but allow users to switch to Windows Classic mode, the Aero theme should be set in the Default User profile or in a GPP. In order to prevent users from changing the view, the Group Policy should be set.
2.2.2.2 Folder Redirection
Windows redirects the local folder to a central location, giving users immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.
In Windows XP, the only folders that Folder Redirection supported were Application Data, Desktop, My Documents, My Pictures, and Start Menu. Heavily used folders such as Favorites and Cookies were not included, so it was still possible for profiles to grow large enough to slow down performance.
Windows Vista and Windows 7 have an improved roaming user experience, leveraging changes in user profiles and Folder Redirection. The user profile folder structure or namespace has changed. Logically divided, the user profile namespace has a distinct separation between user and application data. Folder Redirection returns with the same behavior; however, now you can redirect 10 folders out of the user profile.
Also, the new Folder Redirection Group Policy snap-in allows you to manage Folder Redirection policies for Windows 7, Windows Vista, Windows XP, and Windows 2000. You can create the most efficient roaming user experience when you combine Folder Redirection and Roaming Profiles.
All known folders can be redirected individually (for example, redirect Documents without redirecting Music and Pictures). Redirected folders are not (by default) synchronized, resulting in quicker logon/logoff times.
Redirection of at least the Documents and Desktop folders will be implemented for the following reasons:
• The folders that make user profiles large are typically Documents and Desktop. It is not uncommon for a user to drop 5 MB spreadsheets on their desktops so that they are easy to access, not realising this file will now be copied to the server (in their profile) when they log off. At least if these files are in a redirected Desktop, they are only copied again if the file is changed rather than every time users log on to a different computer.
• By reducing the profile size, the user logon experience will be greatly enhanced.
• If a user logs onto a computer for the first time, not all the files on the Desktop are downloaded to the computer. They are only copied if the files are accessed. Users will see the icons, but their logon will not be degraded by first-time downloads.
• If a user has a redirected desktop, administrative staff can easily see the contents of that desktop by looking in the redirected folder located on the network drive. This helps in the troubleshooting process.
• If the Desktop folder is redirected to a user’s home share, quotas will apply to the desktop data. This deters users from littering their desktops with excessive amounts of large files.
• Documents are the default location for data files from Microsoft Office and many other applications. If left as default, this folder is part of the Roaming Profile.
The folders will be redirected to the same file servers that the current Windows XP users’ folders are redirected to.
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 21 of 31 UNCLASSIFIED
Table 2-2: Folder Redirection Group Policy Configuration
Policy Path Policy Setting Setting Value Setting Configuration User Configuration / Policies / Windows Settings / Folder Redirection / AppData (Roaming)
Setting Not Configured
No Folder redirection
Basic Create a Folder for each User under the root path
Root Path Advanced Existing Group Names
Create a Folder for each User under the root path Root Path: TBD
User Configuration / Policies / Windows Settings / Folder Redirection / Desktop
Setting Not Configured
No Folder redirection
Basic Create a Folder for each User under the root path
Root Path Advanced Existing Group Names
Create a Folder for each User under the root path Root Path: TBD
User Configuration / Policies / Windows Settings / Folder Redirection / Start Menu
Setting Not Configured
No Folder redirection
Basic Create a Folder for each User under the root path
Root Path Advanced Existing Group Names
Create a Folder for each User under the root path Root Path: TBD
User Configuration / Policies / Windows Settings / Folder Redirection / Documents
Setting Not Configured
No Folder redirection
Basic Create a Folder for each User under the root path
Root Path Advanced Existing Group Names
Create a Folder for each User under the root path Root Path: TBD
User Configuration / Policies / Windows Settings / Folder Redirection / Pictures
Settings Not Configured
No Folder redirection
Basic Create a Folder for each User under the root path
Root Path Advanced Existing Group Names
Create a Folder for each User under the root path Root Path: TBD
User Configuration / Policies / Windows Settings / Folder Redirection / Music
Settings Not Configured
No Folder redirection
Basic Create a Folder for each User under the root path
Root Path Advanced Existing Group Names
Create a Folder for each User under the root path Root Path: TBD
User Configuration / Policies / Windows Settings / Folder
Settings Not Configured
No Folder redirection
Basic Create a Folder for each User under the
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 22 of 31 UNCLASSIFIED
Policy Path Policy Setting Setting Value Setting Configuration Redirection / Videos root path
Root Path Advanced Existing Group Names
Create a Folder for each User under the root path Root Path: TBD
User Configuration / Policies / Windows Settings / Folder Redirection / Favorites
Settings Not Configured
No Folder redirection
Basic Create a Folder for each User under the root path
Root Path Advanced Existing Group Names
Create a Folder for each User under the root path Root Path: TBD
User Configuration / Policies / Windows Settings / Folder Redirection / Contacts
Settings Not Configured
No Folder redirection
Basic Create a Folder for each User under the root path
Root Path Advanced Existing Group Names
Create a Folder for each User under the root path Root Path: TBD
User Configuration / Policies / Windows Settings / Folder Redirection / Downloads
Settings Not Configured
No Folder redirection
Basic Create a Folder for each User under the root path
Root Path Advanced Existing Group Names
Create a Folder for each User under the root path Root Path: TBD
User Configuration / Policies / Windows Settings / Folder Redirection / Links
Settings Not Configured
No Folder redirection
Basic Create a Folder for each User under the root path
Root Path Advanced Existing Group Names
Create a Folder for each User under the root path Root Path: TBD
User Configuration / Policies / Windows Settings / Folder Redirection / Searches
Settings Not Configured
No Folder redirection
Basic Create a Folder for each User under the root path
Root Path Advanced Existing Group Names
Create a Folder for each User under the root path Root Path: TBD
User Configuration / Policies / Windows Settings / Folder Redirection / Saved Games
Settings Not Configured
No Folder redirection
Basic Create a Folder for each User under the root path
Root Path Advanced Existing Group Names
Create a Folder for each User under the root path
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 23 of 31 UNCLASSIFIED
Policy Path Policy Setting Setting Value Setting Configuration Root Path: TBD
2.2.2.3 Roaming Profiles
Changes to how Roaming Profiles are handled in Windows 7 and changes to Group Policy Roaming Profile settings for Windows 7 include:
• Roaming folder: Windows 7 uses the Roaming folder for application-specific data, such as custom dictionaries, which are machine independent and should roam with the user profile. The AppData\Roaming folder in Windows 7 is the same as the Documents and Settings\username\Application Data folder in Windows XP.
• Profile size: Group Policy can be used to enforce limits to the size of Roaming Profiles. Earlier versions of Windows prevented users from logging off when the size of their profile exceeded the size in the policy setting. Windows 7 still respects this policy setting; however, it no longer prevents the user from logging off the computer. Windows does not synchronize the user’s profile to the profile server when it exceeds the policy-enabled limit.
• Profile loads: Windows 7 provides little information about the status of loading or unloading Roaming Profiles during user logon and logoff. This lack of information is misleading and may give users the impression that Windows 7 is unresponsive. You can use the computer Group Policy setting “verbose vs. normal status messages” to change this behavior. This changed behavior displays more information about the status of Windows loading and unloading the Roaming Profile during user logon and logoff.
• Profile compatibility: The user profile namespace used in Windows XP is identical to that used in Microsoft Windows 2000, making interoperability between the operating systems transparent. However, the significant changes in the Windows 7 profile namespace creates a challenge. These significant changes prevent Windows 7 from loading user profiles from previous versions of Windows. Also, previous versions of Windows do not load Windows 7 user profiles. Therefore, Windows 7 Roaming Profiles will add “v2” to the end of the profile folder. The “v2” is used to isolate Windows 7 Roaming Profiles from those created by previous operating systems.
• Handle termination: Under Windows 7, applications that do not release handles to the registry hives during logoff now have their handles terminated to allow synchronization. This stops the situation under Windows XP where applications could delay profile synchronization at logoff or could prevent successful synchronization in some cases.
2.3 Core Applications
Core applications are applications or utilities that are used enterprise-wide and will be included in the master image deployed to all client computers:
• Office 2010 Professional Plus • SEP-11 • CSA
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 24 of 31 UNCLASSIFIED
• Java Virtual Machine • Adobe Reader • Adobe Flash • K-Lite codec Pack • Microsoft Silverlight • .NET Framework 4 • Multi-lingual User interface (English and French-language MUI) • Microsoft Visio viewer • DND Environment Variables • DND Workstation Tools • MS PowerShell 3.0 • VC++ redistributables
Note that Group Policy Preferences Client-Side Extensions (CSEs), previously included in Windows Vista images is already a part of Windows 7.
2.3.1 The 2010 Office System
Table 2-3: Office Installation Information Category Information
Version Microsoft Office 2010, SP1 Professional Plus Edition. Rationale Latest commercial release of the Microsoft Office System client software. Upgrade of
existing Office 2003 implementation at DND. Installed components
The following components will be installed as part of the Office 2010 SP1 Professional Plus deployment: • Word • Excel • PowerPoint • Outlook • Access • InfoPath • Publisher • OneNote • Microsoft Office 2010 Tools
Service packs & Updates
The image build will be updated quarterly with the current approved patches including office patches. Interim patches will be delivered via System Center Configuration Manager. Please refer to the National Desktop Management (NDM) support page for the list of applied patches to the reference image.
Configuration Management
All Office 2010 configuration settings that are covered by a Group Policy Template (ADMX) will be managed via GPO. Other settings deemed necessary to configure by DND, but not covered by GPO will be configured via GPP (Group Policy Preference) as per DIMEI 2-4.
Installation Method Silent install during the image creation process in the Deployment Workbench. Setup Command Setup.exe
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 25 of 31 UNCLASSIFIED
2.3.1.1 2010 Office System Look and Feel
The 2010 Office system has a completely new UI for Microsoft Office Word®, Excel®, and PowerPoint® applications, with the traditional menu bar replaced by the Ribbon UI. The redesign makes the whole user experience more intuitive, graphical, and contextualized by completely rationalizing the interface. In addition, new features are available within the products, such as the new Microsoft SmartArt™ graphical features that users of previous versions will not be familiar with.
2.3.1.2 Office Open XML Formats
The new Office Open XML Formats are a departure from the binary format used in previous versions of Microsoft Office and are based on Extensible Markup Language (XML) technology. Although these formats provide many benefits, managing the conversion to the new Office Open XML Formats may be required. The Office File Converter (OFC) Pack, which is available for Microsoft Office 2000 and later, allows users of earlier Microsoft Office versions to view and edit documents saved in the new file format.
In terms of co-existence, users must understand which capabilities are tied to the 2010 Office system—for example, users of Microsoft Office 2000 cannot modify SmartArt graphics.
Considering the limited scope of the internal pilot (50 users), a Group Policy Object (GPO) will be created to configure the Office applications (Word, Excel and PowerPoint) to save their files in the legacy binary formats (the same format natively used by Office 2003) by default.
2.3.2 Symantec Endpoint Protection 11
Table 2-4: SEP11 Installation Information Category Information Version Symantec Endpoint Protection v11 Release Update 5 (RU5) Rationale SEP 11 is the DND-standard anti-malware and host protection suite, which must be
present on all Windows-based desktop and laptop computers. Installed Components
This list of installed components is based on current DND SEP 11 documentation for DNET Windows XP. • Core services • Anti-virus services • Network Threat Protection • Network Access Control
Service packs & Updates
As defined by DIMEI 2
Configuration Management
SEP 11 clients are centrally managed with a policy server. Policy is defined by DIMEI 2.
Installation Method Installation source is cached locally (C:\LocalSource\SEP) during image creation process. Silent install from local source during the image deployment process. This is done to ensure that SEP doesn’t interfere with the image creation and deployment processes.
2.3.3 Cisco Security Agent
Table 2-5: CSA Installation Information Category Information Version Cisco Security Agent
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 26 of 31 UNCLASSIFIED
Category Information Rationale CSA 6.0 is an integral component to iAccess and the desktop security and is required
to function with the Windows 7 OS. Installed Components Client components Service packs & Updates
As defined by DIMEI 2
Configuration Management CSA is centrally managed with a policy server. Policy is defined by DIMEI 2.
Installation Method Installation source is cached locally (C:\LocalSource\CSA) during image creation process. Silent install from local source during the image deployment process. This is done to ensure that SEP doesn’t interfere with the image creation and deployment processes.
2.3.4 Sun Java Virtual Machine
Table 2-6: Java Virtual Machine Installation Information Category Information Version Java Runtime Rationale For application support and enhanced browsing capability Installed Components Vendor components Service packs & Updates
Delivered via SMS
Configuration Management As per DIMEI 2.
Installation Method Silent install during the image creation process in the Deployment Workbench.
2.3.5 Adobe Reader
Table 2-7: Adobe Reader Installation Information Category Information Version Adobe Reader Rationale DND standard for viewing PDF-formatted documents. Installed Components Full Installation (No Google Toolbar) Service packs & Updates
Delivered via SMS
Configuration Management As per DIMEI 2.
Installation Method Silent install during the image creation process in the Deployment Workbench.
2.3.6 Adobe Flash Player
Table 2-8: Adobe Flash Player Installation Information Category Information Version Adobe Flash Player Rationale Enhance the user’s Internet browsing experience. Installed Components Full Installation (No Google Toolbar) Service packs & Updates
Delivered Via SMS
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 27 of 31 UNCLASSIFIED
Category Information Configuration Management As per DIMEI 2
Installation Method Silent install during the image creation process in the Deployment Workbench.
2.3.7 Regional Settings and Keyboard Selection
The regional settings allow system configuration for the language, date, time, and keyboard formats that users require.
The default regional settings will be set as follows:
• Current Format: English (Canada) • Current Location: (Canada) • Default Input Language: English (Canada) – US • Installed Keyboards: English (Canada) US Canadian French
• Language Bar: Docked in the Taskbar • Language Toggle: Left Alt + Shift Move to build Doc!
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 28 of 31 UNCLASSIFIED
3. Set Network Registry Key This is a Run command Line with the following for x64 and x86 respectively:
reg add HKLM\SOFTWARE\Wow6432Node\NDM /v Network /t REG_DWORD /d 1
reg add HKLM\SOFTWARE\Policies\NDM /v Network /t REG_DWORD /d 1
We set the registry for the network key to 1 for DNet and 2 for ComdNet, and this is done via a GPO. However, during deployment, the GPO does not set this quickly enough for the applications that require it in the task sequence (i.e CSA) therefore this registry poke is required as the first step in the Install Software group of the task sequence.
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 29 of 31 UNCLASSIFIED
Appendix A: USGCB Configuration Spreadsheet For the detailed DND GPO settings, please consult the DNDCB-GPO-settings SharePoint website.
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 30 of 31 UNCLASSIFIED
Appendix B: Windows 7 Image Core Components & Software At the time of writing, the components and software programs in the table below were installed through SCCM task sequence to complete the Windows 7 image. Core components added to Windows 7 as part of the Phase 1 MDT reference image creation are covered in section 2.3.
Note: Updates will be captured in the Windows 7 Image Creation SOP
UNCLASSIFIED Windows 7 Image Engineering – System Build and Configuration Overview
Version 1.03 released 2013-05-06
Page 31 of 31 UNCLASSIFIED
Table B-1: Windows 7 Image Components – Non-Core Components task-sequenced using SCCM
Software Version Comments DWAN CSNI Physical/ Persistent
CSNI VHD
Symantec Endpoint Protection 11 (SEP-11)
11 RU5 Since SEP-11 interferes with OSD, it is only copied to a local source location on the image. At the end of deployment, SEP-11 is installed from the local source. All environment-specific versions of the client will be stored in the local source.
Microsoft Configuration Manager Client
2007 The Configuration Manager client is delivered at deployment time to help reduce the number of managed images by half (unmanaged versus production). The application is installed as part of the MDT Deployment Point (LTI) or the Configuration Manager Task Sequence.
Entrust Entelligence Security Provider
9+ Already approved/in use on DWAN Entrust ESPo 8 Plug for Outlook and SafeNet
Borderless Protection CSA 6 Since CSA 6 interferes with OSD, it is
only copied to a local source location on the image. At the end of deployment, CSA 6 is installed from the local source. All environment-specific versions of the client will be stored in the local source.
SAC SafeNet Authentication Client SAFE DND SCCM Set Cache Size 1.0
Already approved/in use on DWAN & CSNI
TerraGo Toolbar Already approved/in use on CSNI Google Earth Plugin Already approved/in use on CSNI Titus Already approved/in use on CSNI NetBanner Already approved/in use on CSNI VmWare View Agent Permits PCoIP connectivity to virtual
desktop VMWare Tools Additional Device drivers/tools to
support virtual machines Set Network Registry Key Set the registry for the network key to
1 for DNet and 2 for ComdNet